Skip to main content
Carbon Karma

Privacy Policy

Last updated: May 10, 2026

This is an interim policy. Carbon Karma is in a small-group preview. A complete, attorney-drafted Privacy Policy is being prepared and will replace this page before public launch. The descriptions below accurately reflect what the app does today.

What we collect

  • Account information: name, email address, and password (hashed with bcrypt — we never see your plaintext password).
  • Authentication via Google: if you sign in with Google, we receive your name, email, and Google profile image (we do not receive your Google password).
  • Carbon footprint inputs: zip code, household size, vehicle and driving habits, energy usage, and recycling habits — used to calculate your estimated annual emissions.
  • Purchase history: projects funded, tons purchased, payment amounts, and timestamps.
  • Email verification status: whether you have clicked the verification link sent to your email address.

What we do NOT collect

  • Payment card details.Card numbers, expiration dates, and security codes are entered directly into Stripe's hosted checkout page and never touch our servers. We receive only a payment confirmation token.
  • Precise location. We use the zip code you provide. We do not request or use device GPS, browser geolocation, or IP-based location lookups.
  • Tracking cookies for advertising. We do not run third-party advertising trackers. We use only cookies strictly necessary for the site to function (session, authentication, CSRF) plus an error-monitoring SDK that does not track behavior across sites.

How we use your data

  • To run your account and process your offset purchases.
  • To match you with carbon offset projects nearest to your zip code.
  • To compute and display your Carbon Karma Score and your community's aggregate impact.
  • To send you transactional emails (verification, password reset, purchase receipts). You cannot opt out of transactional emails. You can opt in/out of product updates and climate tips on the Profile page.
  • To send you marketing emails about new projects or features only if you have opted in (Profile → Preferences).

Who we share with

  • Stripe — for payment processing.
  • Resend — for transactional email delivery.
  • Vercel — for hosting and infrastructure.
  • Neon — for the application database.
  • Sentry — for error monitoring and debugging (when configured).
  • Carbon offset suppliers — when you make a purchase, the supplier receives the project, quantity, and purchase ID needed to retire the credits in the registry. They do not receive your name, email, or other personal data.

We do not sell your personal information. We do not share your data with advertisers, data brokers, or political campaigns.

Your community page

The Community Impact page shows aggregate offset statistics by geographic area (city, county, state, or national). Aggregate counts are released only when at least 10 distinct community members have contributed in that area, to protect against de-anonymization. Individual user identities are never shown on community pages.

Your rights

You can export, correct, or delete your account and data at any time from the Profile page. When you delete your account, your purchase records remain in our database with the user identifier removed (pseudonymized); the registry serial numbers and the retired credits they represent are unaffected. California residents have additional rights under CCPA/CPRA, including the right to know what data we hold and the right to non-discrimination for exercising those rights — to make a request, contact us via the email address below.

Data retention

We retain account data for as long as your account is active. When you delete your account, we remove your personal information (name, email, password hash, footprint snapshots, session and provider records) within 30 days. Offset purchase records are retained pseudonymously — your row remains linked to its project and registry serial number for audit trails, but the user identifier is set to null. Some records may be retained longer where legally required.

Children

Carbon Karma is intended for users 18 years of age or older. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, contact us and we will delete it.

Changes to this policy

We will replace this interim policy with an attorney-drafted version before public launch and will notify registered users by email. After that, we may make changes from time to time and will post the updated date at the top of this page; material changes will trigger an email notification.

Contact

For privacy questions, data requests, or concerns, please contact the Carbon Karma team. (A dedicated privacy contact email will be published with the final attorney-drafted policy.)

See also: Terms of Service · Photo credits